Posted on June 24, 2020 at 11:15 AM

Hackers are Stealing Credit Card Details Using Google Analytics

A recent report reveals that hackers are using Google Analytics and Google’s servers platform to steal credit card information from customers who submitted at online stores.

The hackers are using Google Analytics API to bypass Content Security Policy(CSP), as it has already been used in ongoing Magecart attacks. The hacking activity was designed to steal details of credit cards from dozens of eCommerce sites.

Based on independent reports from sources like Sansec, Kaspersky, and PerimeterX, the hackers are now planting data-stealing codes on the infected websites along with tracking codes generated by Google Analytics. It allows hackers to steal payment information entered by the users, even when content security is fully enforced.

“Attackers injected malicious code into sites, which collected all the data entered by users and then sent it via Analytics,” Kaspersky reported yesterday.

The cybersecurity company also pointed out that the hackers can have access to the stolen data in their Google Analytics accounts.

Circumventing Content Security Policy

The hacking method benefits from the fact that e-commerce websites making use of Google’s web analytics are whitelisting Google analytics domains.

According to security firms PerimeterX and Sansec, it’s a waste of time to use CSP to prevent credit card hacking attacks on sites that use Google Analytics. That’s because threat actors can easily harvest data to their accounts.

PerimeterX discovered that there is core functionality in CSP that will be easy to exploit by hackers when it’s used for blocking credit card or credential theft.

CSP is an additional security measure used in detecting and mitigating threats from cross-site scripting vulnerabilities. It’s also used to prevent attacks from other types of code-injecting attacks.

The security protocol gives site owners the ability to set definite levels and interactive points between the web browser and a specific URL, which is aimed at preventing the execution of untrusted code.

According to PerimeterX security firm, the main issue is the fact that the rule system on CSP is not strong enough. As a result, to find and stop the malicious JavaScript request needs advanced visibility solutions. The visibility system can easily discover and exfiltrate sensitive user data, such as the users’ email id and password.

Harvesting data using this method requires a little piece of JavaScript code which transmits the gathered details such as payment information and credentials.

It also looks at other areas that Google Analytics utilizes to exclusively identify different actions on the site. Kaspersky noted that another interesting thing is the fact that the actors can implement the attack without downloading external source code.

To keep the attack more hidden, the actors also find out whether the developer mode has been activated on the visitor’s browser. If it’s not enabled, the hacker will now proceed to its next point of action. The developer mode is a feature often utilized to spot security errors and network requests. It’s an important feature that protects the network against exploitation.

Possible data theft prevention

In a different report, the Sansec security firm explained that there is a similar hacking campaign that delivered malicious codes to different stores by utilizing JavaScript code hosted on the Google Firebase. The security firm said it discovered the new malware actor on March 17.

To further conceal the hacking actions, the hacker set up a temporary iFrame to stack an attacker-controlled Google Analytics account. Afterward, the details of the credit card data are encrypted and delivered to the analytics console. From there the encryption key is used to recover the details.

With the common use of Google Analytics in the attacks, measures like CPS will not be effective if the actors steal sensitive information by taking advantage of an already allowed domain.

The only viable solution would be through adaptive URLs or including the ID as part of the subdomain or ERL. This will enable admins to establish CSP rules that prevent data exfiltration to other accounts, Sansec concluded.